Extract local CA if it expired

This adds a conditional that extracts certmonger's local CA if the certificate doesn't exist or if it has expired already. This adds the ability for the deployer to fix the undercloud installation with the undercloud install command itself if expiration of the CA cert happens. Change-Id: I61577be2434d7321dd462902d386c6911c2c4f57 Closes-Bug: #1753948
2018-03-07 10:57:37 +02:00 · 2018-03-07 10:57:37 +02:00 · a4ae09d169
parent 50f2bf278c
commit a4ae09d169
2 changed files with 2 additions and 2 deletions
--- a/manifests/certmonger/ca/local.pp
+++ b/manifests/certmonger/ca/local.pp
@ -31,7 +31,7 @@ class tripleo::certmonger::ca::local(
  exec { 'extract-and-trust-ca':
    command   => "${extract_cmd} && ${trust_ca_cmd}",
    path      => '/usr/bin',
-    creates   => $ca_pem,
+    unless    => "test -e ${ca_pem} && openssl x509 -checkend 0 -noout -in ${ca_pem}",
    tries     => 5,
    try_sleep => 1,
  }
--- a/spec/classes/tripleo_certmonger_ca_local_spec.rb
+++ b/spec/classes/tripleo_certmonger_ca_local_spec.rb
@ -34,7 +34,7 @@ describe 'tripleo::certmonger::ca::local' do

    it 'should extract CA cert' do
      is_expected.to contain_exec('extract-and-trust-ca').with(
-        :creates => params[:ca_pem],
+        :unless => "test -e #{params[:ca_pem]} && openssl x509 -checkend 0 -noout -in #{params[:ca_pem]}",
      )
    end
  end